lumin/nixos-config
1
0
Fork 0
mirror of https://github.com/ordinary-dev/nixos-config.git synced 2024-09-19 19:30:28 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: simplify nginx config

Browse source
This commit is contained in:
Ivan R. 2024-03-04 19:59:16 +05:00
parent e26d4f9722
commit 2e511cc4de
No known key found for this signature in database
GPG key ID: 56C7BAAE859B302C
11 changed files with 139 additions and 163 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
nixos/programs/comfycamp.nix
View file

@ -5,4 +5,18 @@
image = "ghcr.io/ordinary-dev/comfycamp:v0.6.0";
ports = ["55007:80"];
};
services.nginx.virtualHosts."[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = {
locations = {
"/".proxyPass = "http://127.0.0.1:55007";
};
};
services.nginx.virtualHosts."comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:55007";
};
};
}

5
nixos/programs/freshrss.nix
View file

@ -13,4 +13,9 @@
passwordFile = "/var/lib/secrets/freshrss/password.txt";
virtualHost = "freshrss.comfycamp.space";
};
services.nginx.virtualHosts."freshrss.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
};
}

11
nixos/programs/jellyfin.nix
View file

@ -3,4 +3,15 @@
services.jellyfin = {
enable = true;
};
services.nginx.virtualHosts."jf.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
};
}

6
nixos/programs/maddy.nix
View file

@ -25,4 +25,10 @@
"driver postgres"
] options.services.maddy.config.default;
};
services.nginx.virtualHosts."mta-sts.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
root = "/var/lib/mta-sts";
};
}

27
nixos/programs/mastodon.nix
View file

@ -78,4 +78,31 @@
systemd.services.mastodon-sidekiq-all = {
serviceConfig.ReadWritePaths = "/hdd/mastodon-public-system";
};
services.nginx.virtualHosts."m.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
root = "${config.services.mastodon.package}/public/";
locations = {
"/system/" = {
alias = "/var/lib/mastodon/public-system/";
};
"/" = {
tryFiles = "$uri @proxy";
};
"@proxy" = {
proxyPass = "http://unix:/run/mastodon-web/web.socket";
proxyWebsockets = true;
};
"/api/v1/streaming/" = {
proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
proxyWebsockets = true;
};
};
};
}

10
nixos/programs/microboard.nix
View file

@ -15,4 +15,14 @@ in
"/run/postgresql:/run/postgresql"
];
};
services.nginx.virtualHosts."0ch.space" = {
useACMEHost = "0ch.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:55006";
};
};
};
}

5
nixos/programs/nextcloud.nix
View file

@ -20,4 +20,9 @@
createLocally = false;
};
};
services.nginx.virtualHosts."nc.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
};
}

170
nixos/programs/nginx.nix
View file

@ -1,14 +1,4 @@
{ config, ... }:
let
# Required stuff for synapse
clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space";
serverConfig."m.server" = "matrix.comfycamp.space:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
{ config, ... }: {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
@ -16,15 +6,6 @@ in {
recommendedGzipSettings = true;
recommendedProxySettings = true;
appendHttpConfig = ''
map $status $loggable {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined if=$loggable;
'';
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
@ -32,149 +13,14 @@ in {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
access_log off;
# Log 4xx and 5xx errors.
map $status $loggable {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined if=$loggable;
'';
virtualHosts = {
"[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = {
locations = {
"/".proxyPass = "http://127.0.0.1:55007";
};
};
"comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:55007";
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://matrix-org.github.io/synapse/latest/delegate.html
"/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
"/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
};
# Phoenix
"ph.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:55009";
};
# Nextcloud
"nc.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
};
# Jellyfin
"jf.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
};
# Plausible
"plausible.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:55005";
};
};
};
# Microboard
"0ch.space" = {
useACMEHost = "0ch.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:55006";
};
};
};
# Mail: MTA-STS
"mta-sts.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
root = "/var/lib/mta-sts";
};
"matrix.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
"/_matrix".proxyPass = "http://127.0.0.1:8008";
# Forward requests for e.g. SSO and password-resets.
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# Photoprism
"pp.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:55004";
proxyWebsockets = true;
};
};
};
# Freshrss
"freshrss.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
};
# Mastodon
"m.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
root = "${config.services.mastodon.package}/public/";
locations = {
"/system/" = {
alias = "/var/lib/mastodon/public-system/";
};
"/" = {
tryFiles = "$uri @proxy";
};
"@proxy" = {
proxyPass = "http://unix:/run/mastodon-web/web.socket";
proxyWebsockets = true;
};
"/api/v1/streaming/" = {
proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
proxyWebsockets = true;
};
};
};
};
};
users.users.nginx.extraGroups = [ "acme" ];

6
nixos/programs/phoenix.nix
View file

@ -12,4 +12,10 @@
"/var/lib/phoenix:/var/lib/phoenix"
];
};
services.nginx.virtualHosts."ph.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:55009";
};
}

11
nixos/programs/photoprism.nix
View file

@ -21,4 +21,15 @@
PHOTOPRISM_DETECT_NSFW = "false";
};
};
services.nginx.virtualHosts."pp.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:55004";
proxyWebsockets = true;
};
};
};
}

37
nixos/programs/synapse.nix
View file

@ -1,5 +1,14 @@
{ config, ... }:
{
let
# Required stuff for synapse
clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space";
serverConfig."m.server" = "matrix.comfycamp.space:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
services.matrix-synapse = {
enable = true;
settings = {
@ -31,4 +40,30 @@
"/var/lib/secrets/matrix-synapse/config.yml"
];
};
services.nginx.virtualHosts."matrix.comfycamp.space" = {
useACMEHost = "comfycamp.space";
forceSSL = true;
locations = {
"/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
"/_matrix".proxyPass = "http://127.0.0.1:8008";
# Forward requests for e.g. SSO and password-resets.
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://matrix-org.github.io/synapse/latest/delegate.html
services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}